Today, we launched a short Whiteboard Wednesday video aimed at providing a brief overview of how to effectively prepare for an incident. In this post, I'd like to expand on that a little bit by providing some additional concrete steps on how most organizations should be thinking about how preparedness can directly impact incident response program execution during a breach.
The first step is going to involve discovery and data collection. The goal: know what you're protecting and the resources you have at your disposal.
- Understanding the business - since the end goal of any incident response investigation is to identify remediation activities to restore normal business operations, you must focus on understanding the business priorities. Should you work to remediate the non-critical development environment before the production environment? Probably not; Understanding the business will help you make better decisions.
- Understanding assets, users, and data - not only are these items key property that you are charge with protecting and restoring, but they're also going to be the key tools and targets sought out by attackers during a breach. Understanding which key assets enable business processes will help focus monitoring and response efforts. Understanding the various user types will help determine incident scope. Understanding the data will help determine monitoring efforts and attacker motivations. The attackers always want privileged accounts on critical assets to reach the target data.
- Understanding legal, regulatory, and policy drivers - most organizations conduct business in a regulated industry. Whether this is dictated by regulations such as PCI and HIPAA or whether state and federal disclosure laws. Every incident response team must take this into account when building the program. One cannot consider that a breach response has been successful if and the end of the investigation fines are levied against the business.
- Understanding technology, people, and processes - as responders, we're dependent on the technology at our disposal, the skills we've acquired throughout our careers, and a repeatable process for applying said skills. Technology and skills must be right-sized for the task at hand; do you need an expert reverse engineer or expensive forensics technology to respond to a commodity virus outbreak? Probably not. Should you have the right response processes defined that will enable an effective breach investigation? Probably so.
- Understanding communication needs - each organization is going to differ with the level of communication needed during a breach. Some Executive teams and Boards are thirsty for every detail, others simply want to know when the issue has been remediated.
- Identify the key contributors - while each breach response will be unique and require different contributors, you can begin to establish the core team members. Obviously, you'll require the technical team to drive analysis, the coordination team to manage and ensure that evidence is recorded, and probably representatives from Legal, HR, and Corporate Communications.
The next step is going to be documenting key processes and training the incident response team members.
- IR invocation process - how will you decide when to invoke the IR team? Who will be responsible for sounding the klaxon horn?
- Threat response processes - how will the technical analysts conduct analysis for identified threats? This is not a "how-to" guide, but rather a high level process for ensuring that evidence is recorded and communicated appropriately. You always want to rely on the creativity, skills, and instincts of your technical team to drive analysis.
- Threat and incident prioritization process - how will you ensure you deal with the gravest threats first? How will you prioritize response to multiple incidents? These questions can be answered by creating a prioritization process that takes into account the severity and criticality of assets, users, and data involved with the breach.
- Remediation prioritization - since the key to a successful incident response is restoring business operations, how will you determine which assets, users, and data will be restored first? Here again, taking into account business priorities, assets, users, and data will help make decisions that will enable the business to return to steady state quickly.
- Cleanup and lessons learned - there is never enough emphasis on deriving lessons learned from incidents. Ensuring that a post-mortem process is available to capture critical intelligence and recommendations to prevent breaches in the future will ensure that your threat detection and incident response programs are consistently maturing.
The final step, rehearsal. To quote an old saying: "practice makes perfect". Performing threat simulation exercises will allow the incident response team to rehearse response processes, expand familiarity with evidence, and grow the understanding of the attack lifecycle in a safe, stress free environment. There is a reason the top law enforcement groups routinely train for various scenarios: the data shows that training and rehearsal increase brain and muscle memory for critical tasks that must be executed without failure in the heat of the moment.
Now, if you're sitting there after reading this article wondering how in the world you're going to get all this done, don't worry, Rapid7 is here to help. As part of our recent announcement regarding general availability of incident response services, the Strategic Services organization has some programs to help:
- Threat Detection and Incident Response Program Development where our experts help your organization get better at detecting and responding to breaches.
- Threat Simulation Services where our experts create a threat scenario, tailored to your business, and host a tabletop threat simulation, or go the extra step and perform a staged breach of your environment.
- Incident Response Retainer where your experts are here to help investigate a breach.
We also hosted a webcast that covers incident preparation and response with myself and Mike Scutt: view it on-demand now!